Transcription
Managed PKI for SSL Service Description/Services AgreementSERVICE DESCRIPTIONUse of the Managed PKI for SSL platform and any Certificates requested or issued thereunder will be governed by thefollowing Certificate Terms of Use:DIGITAL CERTIFICATES BY DIGICERT – TERMS OF USEThese Digital Certificates Terms of Use (“Certificate Terms of Use”) apply to each digital certificate (“Certificate”), whetherpublicly-trusted TLS/SSL Certificates, Client Certificates (as defined in Section 9), Qualified Certificates (as defined in Section 10),or otherwise, issued by DigiCert, Inc., a Utah corporation or any of its affiliates, including its Qualified Trust Service Providers(collectively, “DigiCert”) to an entity or person (“Customer”), as identified in the DigiCert services management portal and/orrelated API made available to Customer (“Portal”) or issued Certificate. The account to access and use the Portal on Customer’sbehalf is referred to herein as the “Portal Account.”By accepting or signing an agreement that incorporates these Certificate Terms of Use by reference (such agreement, togetherwith these terms, collectively, the “Agreement”), the accepter or signer (the “Signer”) represents and warrants that he/she (i) isacting as an authorized representative of the Customer on whose behalf the Signer is accepting this Agreement, and is expresslyauthorized to sign the Agreement and bind Customer to the Agreement, (ii) has the authority to obtain the digital equivalent of acompany stamp, seal, or officer’s signature to establish (x) the authenticity of Customer’s website, and (y) that Customer isresponsible for all uses of the Certificate, (iii) is expressly authorized by Customer to approve Certificate requests on Customer’sbehalf, and (iv) has or will confirm Customer’s exclusive right to use the domain(s) to be included in any issued Certificates.Customer and DigiCert hereby agree as follows:1. Account Users.Customer authorizes each individual listed as an administrator in the Portal Account to act as a Certificate Requester,Certificate Approver, and Contract Signer (as defined in the EV Guidelines) and to communicate with DigiCert regarding themanagement of Certificates and key sets. “EV Guidelines” means the Extended Validation Guidelines published by theCA/Browser Forum (“CAB Forum”) and made publicly available at www.cabforum.org. Customer may revoke this authorityby sending notice to DigiCert. Customer is responsible for periodically reviewing and reconfirming which individuals haveauthority to request and approve Certificates. If Customer wishes to remove a Portal Account user, Customer will take thesteps necessary to prevent such user’s access to the Portal, including changing its password and other authenticationmechanisms for its Portal Account. Customer must notify DigiCert immediately if any unauthorized use of the Portal or PortalAccount is detected. Customer affirms that: (i) Customer authorizes DigiCert to scan, gather, and collect data pertinent toDigiCert’s services and to automate Certificate renewal and upgrade; (ii) Customer will use the services to scan and automateonly the domains, IP addresses, or assets that Customer owns or controls; (iii) Customer will use the services only for itsintended purpose as described and marketed by DigiCert and in accordance with the DigiCert Acceptable Use Policy locatedat https://www.digicert.com/legal-repository.2. Requests.Customer may request Certificates only for domain names registered to Customer, an affiliate of Customer, or other entitythat expressly authorizes DigiCert to allow Customer to obtain and manage Certificates for the domain name. DigiCert maylimit the number of domain names that Customer may include in a single Certificate in DigiCert’s sole discretion.3. Verification.After receiving a request for a Certificate from Customer, DigiCert will review the request and attempt to verify the relevantinformation in accordance with the DigiCert Certification Practices Statement and applicable industry standards, guidelinesand requirements, including laws and regulations related to the issuance of Certificates (“Industry Standards”). Verificationof such requests is subject to DigiCert’s sole discretion, and DigiCert may refuse to issue a Certificate for any reason or noreason. DigiCert will notify Customer if a Certificate request is refused but DigiCert is not required to provide a reason for therefusal. “Certificate Practices Statement” or “CPS” means the applicable written statements of the policies and practicesused by DigiCert to operate its public key infrastructure (“PKI”), including applicable Time-Stamp Policies and Statements.DigiCert’s CPSs are available at https://www.digicert.com/legal-repository. CPSs for services issued from a QTSP (whetheracting in its capacity as aQTSP or otherwise) or an affiliate entity are available n 5/14/2021
4. Certificate Life Cycle.The lifecycle of an issued Certificate depends on the selection made by Customer when ordering the Certificate, therequirements in the CPS, and the intended use of the Certificate. DigiCert may modify Certificate lifecycles for unissuedCertificates as necessary to comply with requirements of: (i) the Agreement; (ii) Industry Standards; (iii) DigiCert’s auditors;or (iv) an Application Software Vendor. “Application Software Vendor” means an entity that displays or uses Certificates inconnection with a distributed root store in which DigiCert participates or will participate. Customer agrees to cease using aCertificate and its related Private Key (defined below) after the Certificate’s expiration date or after DigiCert revokes aCertificate as permitted in the Agreement.5. Issuance.If verification of a Certificate is completed to DigiCert’s satisfaction, DigiCert will issue and deliver the requested Certificateto Customer using any reasonable means of delivery. Typically, DigiCert will deliver Certificates via email to an addressspecified by Customer as an electronic download in the Portal or in response to an API call made by Customer via the Portal.Publicly-trusted Certificates are issued from a root or intermediate Certificate selected by DigiCert. DigiCert may changewhich root or intermediate certificate is used to issue Certificates at any time and without notice to Customer. Customer willabide by all applicable laws, regulations and Industry Standards when ordering and using Certificates, including UnitedStates export control and economic sanctions laws and regulations. Customer acknowledges that the Certificates are notavailable in countries or regions restricted by the United States Treasury Department’s Office of Foreign Assets Control, theUnited States Commerce Department, the European Commission, the United Kingdom HM Treasury’s Office of FinancialSanctions Implementation, or other applicable governmental agencies having jurisdiction over DigiCert.6. Certificate License.Effective immediately after delivery and continuing until the Certificate expires or is revoked, Customer may only use, for thebenefit of the Certificate’s subject, each issued Certificate and corresponding Key Set for the purposes described in the CPS, inaccordance with all applicable laws, regulations, Industry Standards, and with the terms herein. Any Certificates trusted byApplication Software Vendors are subject to all applicable Industry Standards requirements, including those found inapplicable Application Software Vendor root store policies and the CPS, regardless of how the Certificates are used. Any usethat is not allowed by applicable Industry Standards or the CPS is not permitted. DigiCert strongly discourages certificate orkey pinning, using Certificates trusted for the web with non-web PKI, or any other use of Certificates that would make itdifficult for Customer to meet the revocation timelines or other requirements of the CPS, and any such use will not beconsidered a sufficient reason to delay revocation. “Key Set” means a set of two or more mathematically related keys,referred to as Private Keys or key shares along with a Public Key, wherein (i) the Public Key can encrypt a message whichonly the Private Key(s) can decrypt, and (ii) even knowing the Public Key, it is computationally infeasible to discover thePrivate Key(s). Customer will promptly inform DigiCert if it becomes aware of any misuse of a Certificate, Private Key, or thePortal. Customer is responsible for obtaining and maintaining any authorization or license necessary to order, use, anddistribute a Certificate to end users and systems, including any license required under United States’ export laws. SSLCertificates may be used on one or more physical server or device at a time; however, DigiCert may charge a fee for use ofCertificates on additional servers or devices.7. Key Sets.A “Private Key” means the key that is kept secret by Customer that is used to create digital signatures and/or decryptelectronic records or files that were encrypted with the corresponding Public Key. A “Public Key” means Customer’spublicly‐disclosed key that is contained in Customer’s Certificate and corresponds to the secret Private Key that Customeruses. Customer must (i) generate Key Sets using trustworthy systems, (ii) use Key Sets that are at least the equivalent of RSA2048 bit keys, and (iii) keep all Private Keys confidential. Customer is solely responsible for any failure to protect its PrivateKeys. Customer represents that it will only generate and store Key Sets for Adobe Signing Certificates and EV Code SigningCertificates on a FIPS 140‐2 Level 2 device. All other Certificate types may be stored on secure software or hardware systems.Customer is responsible for ensuring that Customer’s acquisition, use, or acceptance of Key Sets generated by DigiCert inaccordance with the Agreement complies with applicable local laws, rules and regulations – including but not limited toexport and import laws, rules, and regulations – in the jurisdiction in which Customer acquires, uses, accepts or otherwisereceives such Key Sets. If Customer is permitted to import or export Private Keys (including copies) in connection with itsuse of specific DigiCert services, DigiCert will not be liable to Customer for Customer’s use or storage of Private Keys(including copies) that are not created in the applicable Portal or service or that are used outside such Portal or service,including after they are exported from the applicable Portal or service.8. Certificate Transparency.To ensure Certificates function properly throughout their lifecycle, DigiCert may log Certificates with a public certificatetransparency database. Log server information is publicly accessible. Once submitted, information cannot be removed from alog server.9. Client Certificates.Version 5/14/2021
“Client Certificate” means a Certificate that contains any extendedKeyUsage other than codeSigning, timestamping orserverAuthentication. The Client Certificate uses are varied and are defined by the Client Certificate profile. Some of thepossible uses defined in a Client Certificate profile may include, digital signature, email encryption, and cryptographicauthentication. If Customer wishes to request Client Certificates, Customer must (i) confirm the identity and affiliation of therequester using appropriate internal documentation as prescribed the CPS, and (ii) confirm that the information providedand representations related to or incorporated in any Client Certificate are true, complete, and accurate in all materialrespects.10. Qualified Certificates.“Qualified Certificate” means a Certificate (i) that is issued by a Qualified Trust Service Provider pursuant to therequirements of applicable EU or Swiss certification and electronic signature laws, and (ii) that carries the highest assurancelevel of “qualified” pursuant to such requirements.“Qualified Trust Service Provider” or “QTSP” means an affiliate entity of DigiCert that is certified by governmentalauthorities to issue Qualified Certificates. DigiCert’s QTSP’s are as follows:QTSP EntityTrusted ListJurisdiction of Supervisory BodyQuoVadis Trustlink B.V.Netherlands Trusted ListNetherlandsDigiCert Europe Belgium B.V.Belgium Trusted ListBelgiumQuoVadis Trustlink Schweiz AGSwiss Trusted ListSwitzerlandWith respect to Qualified Certificates, Customer will (i) where use of a Qualified Signature Creation Device (QSCD) is requiredby Industry Standards, only use its Qualified Certificates for electronic signatures generated using the QSCD storing theQualified Certificates, (ii) if Customer is a natural person, maintain and use their Private Keys only under their sole control;and (iii) if Customer is a legal entity or organization, maintain and use its Private Keys only under its control and direction.11. Management.DigiCert will generally issue, manage, renew, and revoke a Certificate in accordance with any instructions submitted byCustomer through the Portal and may rely on such instructions as accurate. Customer will provide accurate and completeinformation when communicating with DigiCert and will notify DigiCert within 5 Business Days if any information relating toits account on the Portal changes. Customer will respond to any inquiries from DigiCert regarding the validity of informationprovided by Customer within 5 Business Days after Customer receives notice of the inquiry. Customer will review and verifythe Certificate data prior to using the Certificate for accuracy. Certificates are considered accepted by Customer thirty (30)days after the Certificate’s issuance, or earlier upon use of the Certificate when evidence exists that the Customer used theCertificate. Although DigiCert may send a reminder about expiring Certificates, DigiCert is under no obligation to do so andCustomer is solely responsible for ensuring Certificates are renewed prior to expiration. “Business Day” means Mondaythrough Friday, excluding U.S. Federal Holidays, which are set forth in 5 U.S.C. § 6103.12. Registration Authority.Except for publicly-trusted TLS/SSL Certificates and Qualified Certificates, Customer is appointed as a Registration Authority(and Customer hereby accepts such appointment) pursuant to the terms of the applicable CPS. To the extent that Customerperforms any functions of a Registration Authority, it will do so in compliance with the applicable CPS, and DigiCert may relyon Customer’s actions when acting as a Registration Authority. To the extent any third-party claim, suit, proceeding orjudgment arises from Customer’s failure to strictly comply with the obligations of a Registration Authority, Customer mustdefend, hold harmless, and indemnify DigiCert and its directors, officers, agents, employees, successors and assigns fromsuch claim. If operating as a Registration Authority, Customer will cause its subscribers receiving Certificates hereunder toabide by the terms of the DigiCert Subscriber Agreement, found at cribers of Customer must accept the Subscriber Agreement before receiving Certificates.13. Security and Use of Key Sets.Customer will securely generate and protect the Key Sets associated with a Certificate and take all steps necessary to preventthe compromise, loss, or unauthorized use of a Private Key associated with a Certificate. Customer will use passwords thatmeet the requirements specified by the CAB forum network security requirements and other relevant requirements to meetbest practices. Customer will only allow Customer’s employees, agents, and contractors to access or use Private Keys if theemployee, agent, or contractor has undergone a background check by Customer (to the extent allowed by law) and hastraining or experience in PKI and other information security fields. Customer will notify DigiCert, request revocation of aCertificate and its associated Private Key, cease using such Certificate and its associated Private Key, and remove theCertificate from all devices where it is installed if: (i) any information in the Certificate is or becomes incorrect or inaccurate,or (ii) there is any actual or suspected misuse or compromise of the Private Key associated with the Public Key included inthe Certificate. For code signing Certificates, Customer will promptly cease using a Certificate and its associated Private Keyand promptly request revocation of the Certificate if Customer believes that (a) any information in the Certificate is, orbecomes, incorrect or inaccurate, (b) the Private Key associated with the Public Key contained in the Certificate was misusedor compromised, or (c) there is evidence that the Certificate was used to sign Suspect Code. “Suspect Code” means code thatVersion 5/14/2021
contains harmful or malicious functionality of any kind or that contains serious vulnerabilities, including spyware, malwareand other code that installs without the user’s consent and/or resists its own removal, and code that can be exploited in waysnot intended by its designers to compromise the trustworthiness of the platforms on which it executes. Customer will not usethe same Private Key for different Certificate types. For example, Customer will not use a Private Key that is used for codesigning to request a non-code signing Certificate. If DigiCert detects that a Private Key that has been used for a certainCertificate type or action (e.g., code signing) is being used to request a different Certificate type (e.g., TLS/SSL or ClientCertificate), then DigiCert will be required to revoke all Certificates associated with such Private Key or related Key Set thatare in Customer’s related Portal Account or that have otherwise been issued by DigiCert. Customer will respond to DigiCert’sinstructions concerning Key Set compromise or Certificate misuse within 24 hours. Customer will promptly cease using theKey Set corresponding to a Certificate upon the earlier of (I) revocation of the Certificate, and (II) the date when the allowedusage period for the Key Set expires. After revocation, Customer must cease using the Certificate.14. Defective Certificates.Customer’s sole remedy for a defect in a Certificate (“Defect”) is to require DigiCert to use commercially reasonable efforts tocure the defect after receiving notice of such Defect from Customer. DigiCert is not obligated to correct a Defect if (i)Customer misused, damaged, or modified the Certificate, (ii) Customer did not promptly report the Defect to DigiCert, or (iii)Customer has breached any provision of the Agreement.15. Relying Party Warranty.Customer acknowledges that the Relying Party Warranty is only for the benefit of Relying Parties. “Relying Party Warranty”means a warranty offered to a Relying Party that meets the conditions found in the Relying Party Agreement and LimitedWarranty posted on DigiCert’s website at https://www.digicert.com/legal-repository. The Relying Party Warranty forCertificates issued from a QTSP or a DigiCert affiliate is posted at https://www.quovadisglobal.com/repository. Customerdoes not have rights under the Relying Party Warranty, including any right to enforce the terms of the Relying PartyWarranty or make a claim under the Relying Party Warranty. “Relying Party” has the meaning set forth in the Relying PartyWarranty. An Application Software Vendor is not a Relying Party when the software distributed by the Application SoftwareVendor merely displays information regarding a Certificate or facilitates the use of the Certificate or digital signature.16. Representations.For each requested Certificate, Customer represents and warrants that:a. Customer has the right to use or is the lawful owner of (i) any domain name(s) specified in the Certificate, and(ii) any common name or organization name specified in the Certificate;b.c.d.e.Customer will use the Certificate only for authorized and legal purposes, including not using the Certificate tosign Suspect Code and will use the Certificate and Private Key solely in compliance with all applicable laws andsolely in accordance with the Certificate purpose, the CPS, any applicable certificate policy, and the Agreement;Customer has read, understands, and agrees to the CPS;Customer will immediately report in writing to DigiCert any non-compliance with the CPS or BaselineRequirements; andthe organization included in the Certificate and the registered domain name holder is aware of and approves ofeach Certificate request.17. Restrictions.Customer will only use a TLS/SSL Certificate on the servers accessible at the domain names listed in the issued Certificate.Additionally, Customer will not:a. modify, sublicense, or create a derivative work of any TLS/SSL Certificate (except as required to use theCertificate for its intended purpose) or Private Key;b.upload or distribute any files or software that may damage the operation of another’s computer;d.impersonate or misrepresent Customer’s affiliation with any entity;c.e.Version 5/14/2021make representations about or use a TLS/SSL Certificate except as allowed in the CPS;use a Certificate or any related software or service (such as the Portal) in a manner that could reasonably resultin a civil or criminal action being taken against Customer or DigiCert;
f.use a Certificate or any related software to breach the confidence of a third party or to send or receiveunsolicited bulk correspondence;h.apply for a code signing Certificate if the Public Key in the Certificate is or will be used with a non-code signingCertificate;j.attempt to use a Certificate to issue other Certificates;g.i.k.l.use code signing Certificates to sign Suspect Code;interfere with the proper functioning of the DigiCert website or with any transactions conducted through theDigiCert website;monitor, interfere with or reverse engineer the technical implementation of the DigiCert systems or software orotherwise knowingly compromise the security of the DigiCert systems or software;submit Certificate information to DigiCert that infringes the intellectual property rights of any third party; orm. intentionally create a Private Key that is substantially similar to a DigiCert or third-party Private Key.18. Certificate Revocation.DigiCert may revoke a Certificate without notice for the reasons stated in the CPS, including if DigiCert reasonably believesthat:a. Customer requested revocation of the Certificate or did not authorize the issuance of the Certificate;b.Customer has breached the Agreement or an obligation it has under the CPS;d.Customer is added to a government prohibited person or entity list or is operating from a prohibited destinationunder the laws of the United States;f.the Certificate was used without authorization, outside of its intended purpose or used to sign Suspect Code;h.the Certificate was (i) misused, (ii) used or issued contrary to law, the CPS, or Industry Standards, or (iii) used,directly or indirectly, for illegal or fraudulent purposes, such as phishing attacks, fraud, or the distribution ofmalware, other illegal or fraudulent purposes, or any other violations as outlined in the DigiCert Acceptable UsePolicy; orc.e.g.i.any provision of an agreement with Customer containing a representation or obligation related to the issuance,use, management, or revocation of the Certificate terminates or is held invalid;the Certificate contains inaccurate or misleading information;the Private Key associated with the Certificate was disclosed or compromised;Industry Standards or DigiCert’s CPS require Certificate revocation, or revocation is necessary to protect therights, confidential information, operations, or reputation of DigiCert or a third party.19. Sharing of Information.Customer acknowledges and accepts that if (i) the Certificate or Customer is identified as a source of Suspect Code, (ii) theauthority to request the Certificate cannot be verified, or (iii) the Certificate is revoked for reasons other than Customerrequest (e.g. as a result of private key compromise, discovery of malware, etc.), DigiCert is authorized to share informationabout Customer, any application or object signed with the Certificate, the Certificate, and the surrounding circumstances withother certification authorities or industry groups, including the CAB Forum.20. Industry Standards.Both parties will comply with all Industry Standards and laws that apply to the Certificates; if such an applicable law orIndustry Standard changes and that change affects the Certificates or other services provided under the Agreement, thenDigiCert may alter the services or amend or terminate the Agreement to the extent necessary to comply with the change.21. Equipment.Customer is responsible, at Customer’s expense, for (i) all computers, telecommunication equipment, software, access to theInternet, and communications networks (if any) required to use the Certificates and related DigiCert software or services;Version 5/14/2021
and (ii) Customer’s conduct and its website maintenance, operation, development, and content.22. Certificate Beneficiaries.Relying Parties and Application Software Vendors are express third-party beneficiaries of Customer’s obligations andrepresentations related to the use or issuance of a Certificate. The Relying Parties and Application Software Vendors are notexpress third party beneficiaries with respect to any DigiCert software.23. Intermediate Certificates.This Section 23 only applies if Customer purchases a dedicated Private Root Certificate and/or Intermediate Certificate forthe issuance of Private Certificates or publicly-trusted Certificates as specified in an Order Form.a.b.c.d.e.Version 5/14/2021Creation. Within 60 days after receiving applicable payment pursuant to the Agreement and the informationrequired by DigiCert to create the Root Certificate and/or Intermediate Certificate as described in subsection (b)below, DigiCert will create a Root Certificate and/or an Intermediate Certificate for issuing (i) non-publiclytrusted Certificates through the Portal or (ii) publicly-trusted Certificates as specified in an Order Form. A“Private Certificate” means a Certificate that is not embedded in any trust store. A “Root Certificate” means aself-signed Certificate that is stored in a secure off-line state and used to issue other Certificates. “IntermediateCertificate” means a Certificate that is signed by a Private Key corresponding to a Root Certificate and that isused to issue Certificates for use by Customer.Contents. DigiCert and Customer will work together in good-faith to determine the appropriate contents of theRoot Certificate and/or Intermediate Certificate. Customer must provide DigiCert with all information requiredby DigiCert for the creation of the Root Certificate and/or Intermediate Certificate within twelve (12) months ofconcluding an agreement for the creation of that Root Certificate and/or Intermediate Certificate. If Customerfails to provide all required information within that time frame, Customer will forfeit the right to request theRoot Certificate and/or Intermediate Certificate and DigiCert will retain any fees paid for the creation of theRoot Certificate and/or Intermediate Certificate. After an Intermediate Certificate is created, Customer may notmodify the contents of such Intermediate Certificate but may create as many identical copies of the IntermediateCertificate as needed. Intermediate Certificates have a set ten-year lifecycle, after which they expire withoutrenewal. Customer is responsible for ensuring that all Certificates issued from an Intermediate Certificate expireat least two years prior to the expiration of the Intermediate Certificate. DigiCert has the right to revoke anyCertificates issued from the Intermediate Certificates that are still valid within two years of the expiration of theIntermediate Certificate.Ownership. DigiCert retains sole ownership of the Intermediate Certificate but, except as otherwise providedherein, will use the Intermediate Certificate issued in connection with this Agreement solely in accordance withthe instructions provided by Customer through the Portal. Customer may generate copies of the IntermediateCertificate and distribute copies of the Intermediate Certificate to its own end users and customers.Hosting. DigiCert will host the Intermediate Certificate’s Private Key in DigiCert’s secure PKI systems. Customermay not remove or have a third party remove the Intermediate Certificate’s Private Key from DigiCert’s PKIsystems for any reason. DigiCert will provide and host CRL/OCSP services for Customer. DigiCert will continueto provide the CRL/OCSP services after the Agreement’s termination until all Certificates issued thereunderexpire or are revoked. For an Intermediate Certificate that issues publicly-trusted Certificates, because theIntermediate Certificate issues publicly-trusted Certificates, is hosted in DigiCert’s PKI, and is managed byDigiCert’s personnel, the Intermediate Certificate will be covered by DigiCert’s WebTrust audit. If IndustryStandards or the policies of an Application Software Vendor change in a manner that requires a separate audit ofthe Intermediate Certificate, then DigiCert and Customer will work together in good faith to obtain the requiredaudit.Revocation. DigiCert will have the right to revoke the Intermediate Certificate if: (i) Customer requestsrevocation in writing to DigiCert, citing a specific violation of industry standards; (ii) DigiCert has reasonablegrounds to believe the Intermediate Certificate has been compromised; (iii) Customer materially breaches theAgreement and fails to remedy the breach within 30 days after receiving notice of the breach; (iv) Customercontinues to use the Intermediate Certificate after Customer’s right to use the Intermediate Certificateterminates, or (v) DigiCert reasonably believes the revocation is required by Industry Standards.
f.Restrictions. Customer will not: (i) create or atte
7. Key Sets. A "Private Key" means the key that is kept secret by Customer that is used to create digital signatures and/or decrypt electronic records or files that were encrypted with the corresponding Public Key. A "Public Key" means Customer's publicly-disclosed key that is contained in Customer's Certificate and corresponds to the secret Private Key that Customer
